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Abstract 

Constraint LTL, a generalisation of LTL over Presburger constraints, is often used 
as a formal language to specify the behavior of operational models with constraints. 
The freeze quantifier can be part of the language, as in some real-time logics, but 
this variable-binding mechanism is quite general and ubiquitous in many logical 
languages (first-order temporal logics, hybrid logics, logics for sequence diagrams, 
navigation logics, logics with A-abstraction etc.). We show that Constraint LTL 
over the simple domain (N, =) augmented with the freeze quantifier is undecidable 
which is a surprising result in view of the poor language for constraints (only equal- 
ity tests). Many versions of freeze-free Constraint LTL are decidable over domains 
with qualitative predicates and our undecidability result actually establishes Y*\- 
completeness. On the positive side, we provide complexity results when the domain 
is finite (ExpSPACE-completeness) or when the formulae are flat in a sense intro- 
duced in the paper. Our undecidability results are sharp (i.e. with restrictions on the 
number of variables) and all our complexity characterisations ensure completeness 
with respect to some complexity class (mainly PSpace and ExpSpace). 
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1 Introduction 



Model-checking for infinite-state systems. Temporal logics are well- 
studied formalisms to specify the behavior of finite-state systems and the 
computational complexity of the model-checking problems is nowadays well- 
known, see e.g. a survey in [2]. However, many systems such as communication 
protocols have infinitely many configurations and usually the techniques for 
the finite case cannot be applied directly. For numerous infinite-state sys- 
tems, the model-checking problem for the linear-time temporal logic LTL can 
be easily shown to be undecidable (counter automata, hybrid automata and 
more general constraint automata [3, Chapter 6]). Actually, simpler problems 
such as reachability are already undecidable. However, remarkable classes of 
infinite-state systems admit decidable model-checking problems, such as timed 
automata [4] and subclasses of counter automata [5,6,7,8,9]. For instance, frag- 
ments of LTL with Presburger constraints have been shown decidable over ap- 
propriate counter automata [10,11]. In order to push further the decidability 
border, one way consists in considering larger classes of operational models, see 
e.g. [5]. Alternatively, enriching the specification language is another possibil- 
ity. In the paper, we are interested in studying systematically the extensions 
of versions of LTL over concrete domains by the so-called freeze quantifier, 
and in analysing the consequences in terms of decidability and computational 
complexity. 



A variable-binding mechanism. The freeze quantifier in real-time logics 
has been introduced by Alur and Henzinger in the logic TPTL, see e.g. [12]. 
The formula x ■ 4>(x) binds the variable x to the time t of the current state: 
x • 4>(x) is semantically equivalent to 4>{t). Alternatively, in the explicit clock 
approach [13], there is an explicit clock variable t and even though in this 
approach the freeze variable-binding mechanism is possible, the logical for- 
malisms from [12] and [13] are incomparable. In this paper, we want to extend 
some of the decidable logics from [10,11,14] to admit the freeze quantifier: 
l y=x (j){y) holds true at a state iff (f>(y) holds true at the same state with y 
taking the value of x. Here, y can be in the scope of temporal operators. A 
crucial difference with the logics in [12,13] rests on the fact that the variable x 
may not be monotonic. We focus on decidability and complexity issues when 
the language of constraints (at the atomic level of the logics) is very simple in 
order to isolate the effects of the freeze quantifier. We know for instance that 
LTL over integer periodicity constraints augmented with the freeze quantifier 
is ExpSPACE-complete [14]. 

The above-mentioned variable-binding mechanism that allows the binding of 
logical variables to objects is very general and it has been used in the literature 
for various purposes. Details will be provided along the paper (see e.g. Sections 



2 



2.2 and 5). In particular, one can see flexible variables as processes, values of 
the domain as resources, and the freeze quantifier and rigid variables as ways 
to extract and store the current resource used by a process. This view is 
nicely illustrated in [15] by the specification of a communication protocol. In 
Section 2.2, we consider the case of a process requesting memory blocks. 



Our contribution. In the paper, we analyse decidability and complexity 
issues of Constraint LTL augmented with the freeze quantifier. The temporal 
operators we consider are restricted to the standard future-time operators 
'until' and 'next' (no past-time operators). CLTL^(D) denotes such a logic 
over the concrete domain V. A concrete domain is composed of a non-empty 
set equipped with a family of relations. The atomic formulae of CLTL^(P) are 
based on constraints over T> with the ability to compare values of variables 
at states of bounded distance (see details in the body of the paper) as done 
in [16,17,11,18]. 

First, we show that when the underlying domain T> is finite, CLTL-'-('D) sat- 
isfiability is in ExpSpace. If moreover T> has at least two elements with 
the equality predicate, then CLTL^('D) is ExpSPACE-hard. As a corollary, 
CUIL l (D,=) satisfiability is ExpSPACE-complete when \D\ > 2 and D is 
finite (Section 3.2). This witnesses an exponential blow-up since satisfiability 
for the freeze-free fragment CLTL(D) when T> is finite can be easily shown in 
PSpace as plain LTL [19]. 

When the domain D is infinite, we show that CLTL^(D,=) is undecidable 
which is the main result of the paper (Section 4). This is quite surprising 
since the language of constraints is poor (only equality tests) and only future- 
time operators are used unlike what is shown in [14, Section 7] with past-time 
operators. Our proof, based on a reduction from the Recurrence Problem for 
2-counter machines, refines this result: CXTL^D, =) is Sj-complete even if 
only one flexible variable and two rigid variables (used to record the val- 
ues of flexible variables) are involved. Hence, in spite of the very basic Pres- 
burger constraints in CLTL^N, =), satisfiability is S^-complete. Decidability 
of CLTL^(D) can be obtained either at the cost of syntactic restrictions or by 
assuming semantical constraints (as in the logic TPTL [12] where the freeze 
quantifier can only record the value of a monotonic variable, namely time). 

In order to regain decidability, we introduce the flat fragment of CLLL^D) 
which contains the freeze-free fragment CLTL('D) and we show that there 
is a logarithmic-space reduction from the flat fragment of CLTL^-(D) into 
CLTL('D) assuming that the equality predicate belongs to T>. As a corollary, 
we obtain that the flat fragments of CLTL^(Z, <, =) and CLTL^M, <, =) are 
PSPACE-complete (Section 3.2). Flat fragments of plain LTL versions have 
been studied in [20,10] (see also in [21, Section 5] the design of a flat logical 
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temporal language for model-checking pushdown machines) and our definition 
of flatness takes advantage in a non-trivial way of the polarity of 'until' subfor- 
mulae occurring in a formula. This is a standard way to restrict the interplay 
between modalities and quantifiers, see e.g. [22,10,23]. Although we do not 
claim that flat formulae are especially interesting in practice, they cover non- 
trivial uses of the freeze quantifier. However, they cannot express the property 
that a variable at distinct points takes distinct values. 

Along the paper, we consider the satisfiability problem, but as shown in Sec- 
tion 2.3, our results extend to the model-checking problem. 

CLTL^(D) extends naturally the freeze-free fragment CLTL(D), and we show 
that it increases strictly the expressive power (Proposition 1). However, we 
prove that significant fragments of CLTL^(X>) are as expressive as the full lan- 
guage, for instance by recording only values of flexible variables at the current 
state or by allowing only rigid variables in atomic formulae (see Section 2.4). 

Apart from the technical contributions of the paper, we provide comparisons 
with several works which involve freeze-like operators, such as in first-order 
quantification, in timed LTL, in hybrid logics with reference pointers, to quote 
a few examples. 



Structure of the paper. In Section 2, we present Constraint LTL with the 
freeze quantifier, satisfiability and model-checking problems of interest, and 
consider relative expressivity. Section 3 contains decidability and complexity 
results when the underlying concrete domain is finite or with restricting to the 
flat fragment. In Section 4, we show that CLTL^N, =) is £]-complete. Related 
work is discussed in Section 5. In Section 6, we conclude and enumerate a few 
open problems. 



2 Constraint LTL with the freeze quantifier 

2. 1 Syntax and semantics 

A constraint system is a set, called the domain, with a countable family of 
relations on this set. Let V = (D, (Ri) ieI ) be a constraint system. We define 
the logic CLTL^D) by giving its syntax and semantics. 

Syntax. Let FleVarSet and RigVarSet be countable sets of variables which 
are respectively called flexible variables and rigid variables. Terms are given 
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by the grammar: 



t :: = X • • -Xx I y 

n times 



where x is in FleVarSet and y is in RigVarSet. We use X ra as an abbreviation 
for X ■ — X . Formulae are given by the grammar: 

n times 

<p ::= R(t 1} . . . ,t n ) | -10 | 0i A 2 | X0 | 0iU0 2 |ij/=x»x 4> 



where R ranges over the predicate symbols associated to the relations in 
(-Rj)i G /, x over FleVarSet, and y over RigVarSet. Note that we use X for de- 
noting either the n th next value X n x of the variable x or the formula X0. 
We define the Boolean constants, and the temporal operators 'sometimes' and 
'always', as the following abbreviations: T = R(t±, . . . ,t n ) V ->R(ti : . . . , t n ), 
F0 = TU0, JL = R(t u ...,*„) A ^R(h, . . . , t n ), and G0 = ^F^0. 

Let FleVars(0) and RigVars(0) denote the sets of all flexible and rigid (respec- 
tively) variables which occur in 0. 

Freeze-free fragment. CLTL(D) is the fragment of CLTL^('D) with no rigid 
variables and hence without freeze quantifier. 

Flat fragment. We say that the occurrence of a subformula in a formula is 
positive if it occurs under an even number of negations, otherwise it is negative. 
The flat fragment of CLTL^(V) is the restriction of CLTL^(£>) where, for any 
subformula 0iU02, if it is positive then j does not occur in 0i, and if it is 
negative then j does not occur in (p 2 . 

More precisely, the flat fragment consists of the following formulae p. Subfor- 
mulae ip are positive, whereas subformulae p>~ are negative. 

if ::= R(t ± , ...,t n ) | -nip' | pi A ip 2 \ X.ip \ tpUp \i y= ^ x ip 
p~ ::= R(t!, ...,t n )\^(p\(pi A(f2 \ X(^ _ | p-\Jif) \ly=xn x p~ 
tp ::= i2(t 1} ...,i n ) | -nip | ^1 A tp 2 \ Xip \ faUfo 



Semantics. A model a : N — > (FleVarSet — > £)) is a sequence of mappings 
from FleVarSet to .D. For any i G N, we write cr* for the model defined by 
= f° r every j > 0. An environment p is a mapping from RigVarSet 

to D. We write p[x i— > t>] for the environment mapping x to t> G -D, and any 
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other variable y to p{y). The semantics of terms is given by: 

pL n xj^ p = a(n)(x) if x is in FleVarSet 
\y\a, P = P(v) if V is in R'gVarSet 

The semantics of formulae is given by the following satisfaction relation. (Note 
that we use R for both a relation symbol and the relation it denotes.) 

• a hp R(h, . . . ,t n ) iff (Ihj^ , . . . , lt n j a J e R, 

• a \= p ^<p iff a hp 0, 

• a |=p 0i A 2 iff cr hp 0i and ^ I=p 02, 

• a hp X0 iff a 1 |=p 0, 

• <7 hp 0iU02 iff there exists i such that a % hp 02 and for all j < i, \= p 0i, 

• O" hpl?/=X™x iff CT hp[l/i-Kr(n)(x)] 0- 

^.^ Examples 

As a first example, consider the formula 
0^ d = f G XG x h y 

which states that the values of the variable x at different points in time are 
mutually distinct. This is interesting for the verification of cryptographic pro- 
tocols, where nonces are variables which have to be fresh, i.e. they cannot take 
twice the same value. 

As a second example, we consider a process requesting memory blocks. Let us 
assume two flexible variables o (for operator) and a (for argument) such that 
o takes its values in the finite domain {Malloc, Access, Free} and a takes its 
values in an infinite set of memory locations. 

We use Malloc(x), Access(x) and Free(x) as respective abbreviations for o = 
Malloc A a = x, o = Access A a = x, and o = Free A a = x (x is a rigid 
variable) . 

We can easily express the following properties in CLTL^(D). 

• As soon as a memory location is freed, either it is never accessed again, or 
it is not accessed until it is allocated again: 

G(o = Free =3- [ x=a (G^Access(x) V -^Access(x)XJ Malloc(x))) 
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• When a memory location is allocated, it will either be freed in the future 
or will always be eventually accessed (so that we do not waste memory): 

G(o = Malloc =>• [ x=a (FFree(x) V GF Access(x))) 

2.3 Satisfiability and model- checking problems 

We recall below the problems we are interested in. 

Satisfiability problem for CLTl}(V): 
instance: a CLTL^(D) formula 0; 

question: is there a model a and an environment p such that a \= p 0? 

Without loss of generality we can assume that no rigid variable occurs free in 
0, which means that p is not essential above. 

The model-checking problem rests on "D-automata which are constraints au- 
tomata. A D-automaton is simply a Biichi automaton with alphabet a finite 
set of Boolean combinations of atomic CLTL^("D) formulae with terms of the 
form x and Xa; (x G FleVarSet). In a D-automaton, letters on transitions in- 
duce constraints between the variables of the current state and the variables 
of the next state as done in [10]. Alternatively, labelling the transitions by 
CLTL^(X>) formulae (as done in [24]) would not modify essentially the decid- 
ability status of model-checking problems considered in this paper. 

Model- checking problem for CLTL^(T>): 

instance: a D-automaton A and a CLTL^('D) formula 0; 

question: are there a symbolic cj-word v — (f>o, 0i, ■ ■ ■ accepted by A, a model 

a (a realisation of v) and an environment p such that a \= p <p and for every 

i>0, ^h^i? 

It is not difficult to show that as soon as T> is non-trivial the satisfiability 
problem and the model-checking problem are reducible to each other in loga- 
rithmic space following techniques from [19]. In the sequel, we prove results for 
the satisfiability problem but one has to keep in mind that our results extend 
to the model-checking problem. 

2.4 Expressive power 

The freeze quantifier strictly increases expressive power. In order to 
show formally that the freeze quantifier is powerful, we show that CLTL^(N, =) 
is strictly more expressive than its freeze-free fragment CLTL(N, =). In fact, 
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0^ is an example of a formula <f> in CLTL^N, =) with no free rigid variable for 
which there is no equivalent formula ift in CLTL(N, =). The result will follow 
from the following property. 

Lemma 1 Every satisfiable formula <fi in CLTL(N, =) has a model which con- 
tains only finitely many distinct values. Moreover, the number of distinct val- 
ues is polynomial in \(f>\. 

Proof. Let 4> be a formula in CLTL(N, =) with variables in {x±, . . . , x n } and k 
be equal to 1 plus the maximal j such that X J Xj occurs in <fi for some flexible 
variable Xi. Let C be the finite set of constraints of the form X- 71 ^ = ~X? 2 Xi 2 
with < ji, j 2 < k — 1 and ii, i 2 G {1, . . . , n}. 

We define a total ordering on {1, ...,n}xNas follows: (i, j) < (i', j) iff j < f 
or (j = f an( i i < i')- Given a model a : N — > (FleVarSet — > N), we build a 
model a' : N -> (FleVarSet -t{l,...,hn}) such that a \= (f) iff a' \= (p. 

If x is a flexible variable not occurring in <fi, a'(i)(x) = 1 for every i > 0. 
Otherwise a / (0)(x 1 ) = 1 ((1, 0) is minimal wrt <). Now suppose that for every 
(i',f) < (i,j), o-'U')(xi') has been already defined. We shall define a'(j)(xi). 
If for some (i',f) in : < j-j" < Jfc-1, 1 < i" < n, (i",f) < (i,j)}, 

a(f)(xi') = a(j)(xi) then a'(j)(xi) takes the value a'(j')(xi'). Otherwise, 
a'(j)(xi) takes an arbitrary value from the set 

{1, . . . , k x n} \ W){x v .) : < j - j" < k - 1, 1 < i" < n, (if',f) < 

which is always possible since the second set has strictly less that k x n ele- 
ments. One can show that for all c G C and i > 0, a' 1 \= c iff a % \= c. Hence, 
a \= 4> iff a' |= 4>. □ 

Proposition 1 No formula of CLTL(N, =) is equivalent to the formula <^ 
of CLTL l (N,=). 

The flatness concept is only related to occurrences of the freeze quantifier and 
for instance the formulae of the form 0^ do not belong to the flat fragment. By 
contrast, belongs to the flat fragment of CLTL^(N, =). By Proposition 1, 
the flat fragment of CLTL^N, =) is therefore strictly more expressive than 
CLTL(N, =) since CLTL(N, =) is closed under negation. 



Equivalent syntactic restrictions. We now show that expressiveness of 
CLTL^("D) does not change if we restrict the freeze quantifier to refer only 
to flexible variables in the current state, or if we restrict atomic formulae to 
contain only rigid variables, or with both restrictions. Therefore, those restric- 
tions could have been incorporated into the definition of the logic. However, 
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we chose to allow terms of the form X n x with flexible x in atomic formu- 
lae in order to have CLTL('D) as the freeze- free fragment, and to allow the 
freeze quantifier to refer to the future so that formulae would be closed under 
substitution of terms. 

Proposition 2 For any formula of CLTL^{V), there exists an equivalent 
formula 0' such that: 

(I) any occurence of { in 0' is of the form [ y=x ; 

(II) FleVars(0') = FleVars(0); 

(III) RigVars(0') = RigVars(0). 

Proof. By structural induction on 0, it suffices to prove the statement for 
formulae of the form i y =^n x 0' where 0' satisfies (I). 

This can be done by induction on n. The base case n = is trivial. For the 
inductive step, we use structural induction on 0'. The most difficult case is 
4>' = (^[IJ 4>' 2 . We then have 

iy=X n + 1 x 0' 
= ly=*n + l x 0' 2 V (</>[ A X0') 

= (!j/=X»+ 1 x 02) V ((!j/=X»+ 1 x 4>l) A X iy=X. n x <P') 

and the induction hypotheses apply to each of the three freeze subformu- 
lae. □ 

It is worth observing that in the worst case, in the proof of Proposition 2, <f> 
can be exponentially larger than 0. 

Proposition 3 For any formula of CLTl}(V), there exists an equivalent 
formula 0' such that: 

• atomic formulae in 0' contain only rigid variables; 

• if any occurence of I in is of the form [ y=x , then the same is true of <f>' ; 

• FleVars(0') = FleVars(0); 

• |RigVars(0')| = max{|RigVars(0)|, k}, where k is the maximum number of 
distinct terms in any atomic subformula of 0. 

Proof. 0' is constructed from by translating only atomic subformulae of 
0. For example, R(X. 2 xi, y±, X 3 X2, X 2 X3, £4, 2/2, £4), where Xi G FleVarSet and 
yi G RigVarSet, is translated to 

i y3 =x4, X 2 ly 4=xl l y6=X3 X 1 l y6=X2 R(y^, Vi, He, 2/5, 2/3,2/2, 2/3) 
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where ys, . . . , ye are drawn from RigVars(</>) \ {y±, y 2 }. If that set does not have 
enough elements, new rigid variable names are used. The latter can then be 
reused in translations of other atomic subformulae. □ 



Flexible and finitary variables. If the domain D has at least two ele- 
ments, and if the equality predicate is present, then formulae and models of 
CLTL-'-(P) with n > 2 flexible variables can be translated to the fragment 
with only one flexible variable. 

Proposition 4 Let V be a constraint system with at least two elements and 
equality. For any formula (J) of CLTL^(V), one can compute in logarithmic 
space a formula 4>' of CLTL\T>) with a unique flexible variable and the same 
set of rigid variables as <f>, such that <p is satisfiable iff <fi' is satisfiable. 

Proof. Let be a formula of CLTL^(P) with flexible variables 
We shall build in logspace a formula <f> of CFTL^D) with only one flexible 
variable x' and the same set of rigid variables as 0, such that a' \= p <fi' iff there 
exists a with o \= p <fi and a' is an encoding of a in the following sense. A 
valuation a{i) : {x±, . . . , x n } — > D is encoded by 2n + 4 consecutive values of 
x' in a' which form a sequence 

d\, 4, d l , 4, d\, a(i)(xi), 4, <r(i)(x 2 ), o-(i)(x n ) 

Using the equality predicate, the values dj are constrained in <f> so that three 
consecutive equal values occur in a' only at the beginnings of sequences which 
encode valuations in a. 

The formula <f> is a conjunction enc AT(0) where <p enc enforces that models are 
sequences of length 2n+4 of the above form (details are omitted here). Formula 
T((j)) is inductively defined as follows where start = X(x' = Xx' A x' — 
XXx'): 

• T(R(t 1 , . . .,t m )) = R{T{t l ),...,T{t m )) where T(y) = y if y is rigid and 
T(X k x l ) = x fex ( 2n+4 ) +3+2 V, 

• T is homomorphic for Boolean connectives, 

• T{ly = -xk x . 0i) =l y =T(X.kxi) T((f)l), 

• T(^iU0 2 ) = (start =>• T(0x))U(start A T(0 2 )), 

• T(X0x) = X 2n+4 T( ( /) 1 ). □ 

The logics CLTL^("D) as defined in Section 2.1 do not in general have preposi- 
tional variables. If D has at least two elements and equality, then propositional 
flexible variables, or a flexible variable ranging over a finite alphabet, can be 
encoded using additional flexible variables over D and equality. A translation 
as above can then be employed to reduce the number of flexible variables. 
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For ease of expression, to avoid unnecessary constructs, and because equality 
on the domain is not necessarily present, arbitrarily many flexible variables 
and no special finitary variables are considered in the rest of the paper. 



3 Decidability results 

3.1 Finite domain case 

In this section, we basically show that, when V is finite (with at least two ele- 
ments) and contains the equality predicate, CLTL^(D) is ExpSPACE-complete. 
In Theorem 1 below, we establish that ExpSPACE-hardness is very common 
when the freeze quantifier is present. 

Theorem 1 Let V be a constraint system with equality such that the under- 
lying domain D contains at least two elements. The satisfiability problem for 
CLTL l (V) is ExpSPACE-hard. 

Proof. We prove this result by a reduction from an ExpSPACE-complete tiling 
problem (see e.g. [25]). A tile is a unit square of one of several types and the 
tiling problem we consider is specified by means of a finite set T of tile types 
(say T = {ti, . . . ,£;}), two binary relations H (horizontal matching relation) 
and V (vertical matching relation) over T and two distinguished tile types t init , 
t final £ T. The problem consists in determining whether, for a given number 
n in unary, the region [0, . . . , 2 n — 1] x [0, . . . , k — 1] of the integer plane for 
some k can be tiled consistently with H and V, t init is the left bottom tile, 
and t fi na i is the right upper tile. 

Given an instance I = (T,t in it,tf ina i,n) of the tiling problem, we build a 
CLTL^(D) formula <pi such that / = (T,ti ni t,tf ina i,n) has a solution iff <pi is 
CLTL>(£>) satisfiable. 

We consider the following flexible variables: 

• ci, . . . , c n are variables that allow to count until 2 n and xq, x\ are variables 
that will play the role of and 1, respectively; there are corresponding rigid 
variables c[, . . . , c' n ; each element (a, i) of a row [0, . . . , 2 n — 1] x {i} such 
that the binary representation of a is b\ . . . b n , satisfies Cj = x iff bj = for 
every j G {l,...,n}; 

• for t G T, z\,z\ are variables such that D t := z\ = z\ is the formula 
encoding the fact that at a certain position of the integer plane the tile t is 
present. There are also rigid variables z\ , z\ and D' t :— z\ = z\ ; 

• end 1 , end 2 such that END := endi = end 2 ; 
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The formula <f>j is the conjunction of the following formulae: 

• The region of the integer plane for the solution is finite: 

^END A (^ENDU(c! = • • • = c n = x A G END)) 

• xo and x\ behave as different constants: 

-i(xo = x\) A G(xo = Xxo A x\ — Xxi) 

• There is exactly one tile per element of the plane region: 

G(-iEND =>• V(AA A -AO) 

• Constraint on the right upper tile: 

F( A (q — Xi) /\ -iEND A D tfinal A XEND) 

l<i<n 

• Constraint on the left bottom tile: 

A (cj = x ) A D tinit 

l<i<n 

• Incrementation of the counters Ci, . . . , c n : 

G ( V ((A C J = x i) A c *-i = x o A -iEND) 

2<i<n+l i<j<n 

=*( A (cj = X Cj ) A Xcj_i = xi A A (Xc^^o)))) 

• Limit condition for the incrementation of the counters Ci, . . . , c n : 

G((^XEND A Ci = • • • = c n = xi) =>- X(ci = • • • = c n = x )) 

• Horizontal consistency: 

not the last clement of a row 



G( -i(ci — — Cn — xi) A-iEND =>- A (A =>• V X A)) 

teT (t,t')eH 

Vertical consistency: 

not on the last row 



G(-iEND A F(X-iEND A ci = . . . = c n = x x ) 

\, c '=ci \-c' n =c n i- z }' =z} ^z?'=z? ' ' ' ^z}'=z} J'Z?' =z? 

'l 'l *1 *1 t k t k t k t k 

x((-. A ^ = Ci )u( A c ; = Ci aA(A^ V x a))) 

l<i<n l<i<n teT (t,t')eV 



12 



It is not difficult to show that the instance / = (T, U n it,tf ina i,n) has a solution 
iff fa is CLTL^P) satisfiable. □ 

This is reminiscent to the ExpSPACE-hardness of Timed Propositional Tempo- 
ral Logic (TPTL) [12, Theorem 2], PLTL+Now (NLTL) [26, Proposition 4.7] 
and a variant of the guarded fragment with transitivity [27, Theorem 2]. Our 
ExpSPACE-hardness proof is in the same vein since basically in CLTL j (P) 
we are able to count till 2 n using only a number of resources polynomial in n 
and we can compare the truth value of atomic formulae in states of "temporal 
distance" exactly 2 n . 

Our proof is a slight variant of the proof of [14, Theorem 6]: instead of using 
integer periodicity constraints to count till 2™, n binary counters are used. 
Observe also that the resulting formula is not flat because of the encoding of 
vertical consistency. 

If we replace U by F, then NExpTlME-hardness can be shown by reducing 
from the n x n tiling problem with n encoded in binary. 

Finiteness of V allows us to show the decidability of CLTL^(P). 

Theorem 2 LetV be a finite constraint system. The satisfiability problem for 
CLTL l (V) is in ExpSpace. 

Proof. Assume that D = {di, . . . , di}. We introduce an auxiliary constraint 
system V = (D, P 1; . . . , P t ) such that Pj = {di}. For convenience, we write x = 
di instead of Pi(x). We shall show how to reduce the satisfiability problem for 
CLTL^-(P) into the satisfiability problem for CLTL("D'). PSPACE-membership 
of CLTL(P') is not very difficult to show and it is a direct consequence of [14, 
Theorem 4]. 

We introduce a translation T from CLTL^("D) formulae into CLTL(r >/ ) formu- 
lae defined as follows: 

• T is homomorphic for the Boolean operators and the temporal operators, 

• T(R(ai, . . .,a n )) = (Vfl(d il) ..,d it ,)(«i = d h A ■ ■ ■ A a n = d in )). 

So far, the translation can be done in polynomial time and logarithmic space 
since \D\ m is a constant of CLTL J -(P) where m is the maximal arity of relations 
in V. The last clause of T is related to the freeze quantifier: 

ditD 

where T{ip) x ' =dl is obtained from T(ip) by replacing every occurrence of x' = dj 
with j 7^ i by _L and every occurrence of x' = di by T. This step requires an 
exponential blow up and therefore |T(0)| is exponential in [</>[. It is easy to 
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show that is CLTL^D) satisfiable iff T(</>) is CLTL(£>') satisfiable. Since T 
may cause at most an exponential blow up and CLTL(X>') is in PSpace, we 
obtain that CLTL^(X>) satisfiability is in ExpSpace. □ 

Our proof can be easily adapted if the freeze quantifier is replaced by the full 
existential quantifier 3. 

Corollary 1 Let V be a finite constraint system with equality such that the 
underlying domain D contains at least two elements. The satisfiability problem 
for CLTL l (V) is ExpSpace- complete. 

A formula <fi G CLTL^("D) is of |-height k, for some k > 0, whenever every 
branch of the formula tree of <f> has at most k freeze quantifiers. For example, 
the formula l x > =x (y = x')XJ l x >= z y = x' is of j-height 2. 

Corollary 2 Let V be a finite constraint system. For every k > 0, the sat- 
isfiability problem for CLTL^(V) restricted to formulae of [-height k is in 
PSpace. 

The complexity of CLTL^(D) with finite T> and restricted to the 'sometimes' 
operator F is still open. (NExpTlME-hardness and ExpSpace upper bound 
are known.) 

3.2 Flat fragment between CLTL(V) and CLTL l (V) 

The main result of this section is to show that the freeze quantifier in the flat 
fragment of CLTL^(P) can be encoded faithfully into CLTL('D) even though 
flat CLTL^(X>) can be more expressive than CLTL(X>), see for instance the 
case with V = (N, =) in Section 2.4. However, as shown below, satisfiability 
for flat CLTL^N, =) can be reduced in logarithmic space to satisfiability for 
CLTL(N, =). By analogy, CTL* model-checking can be reduced to LTL model- 
checking [28] even though CTL* is more expressive than LTL. 

It is worth observing that our concept of flatness restricts the interplay be- 
tween future-time operators and the freeze quantifier as done in [22,10,23] to 
limit the interaction between modalities and freeze-like quantifiers. In order to 
understand why flat formulae are more manageable, in a formula like [ y=x F<p 
that is flat, only the current value of x needs to be stored. By contrast, in a 
formula like G [ y=x <f> that is not flat, one needs to store as many values of x 
as there are positions. 

We assume that the flexible variables of CLTL^D) are {xo,xi, . . .} and the 
rigid variables of CLTL^(P) are {yo,yi, . . .}. For ease of presentation, we as- 
sume that the flexible variables of CLTL('D) are composed of the following two 
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disjoint sets: {xo, x\, . . .} and {|/o ew , Vi ew , ■ ■ • }• We define a map w from the flat 
fragment CLTL^(D) into CLTL('D) as follows: u replaces each yj by y° ew in 
atomic formulae, it is homomorphic for Boolean and temporal operators, and 

u(iy=^ x = y ncw = X"x A G(y ncw = Xy ncw ) A uty) 

It is easy to show that u(<f>) can be computed in logarithmic space in \cf>\. 

Proposition 5 Let T> be a constraint system with equality. For any formula 
4> of the fiat fragment of CLTL^(V), (f) is CLTL^(V) satisfiable iff u(<f>) is 
CLTL{V) satisfiable. 

Proof. Given a model a of CLTL^("D), an environment p and a formula 
we say that the model a' of CLTL('D) agrees with a, p and <f> iff for all 
i,j > 0, a(i)(xj) = a'(i)(xj) and for all free rigid variable yj in (f> and i > 0, 
a'( l )(y^)=p(y j ). 

We shall use the following basic properties: 

• u (i/j) =ipi£ip belongs to CLTL(D). 

• If a' agrees with a, p and ip then (a') 1 agrees with a\ p and ip for every 
i > 0. 

Given the occurrence of a subformula if) in <fi with positive [resp. negative] 
polarity, we write the sign sy, to denote the empty string [resp. ->}. By abusing 
notation, we do not distinguish subformulae from occurrences. 

We shall show by structural induction that for any occurrence of a subformula 
ip in 0, for all models a of CLTL^-(P) and environment p, a \= p ip iff there 
is a' that agrees with a, p and ip such that a' \= s^ u(ip). Statement of the 
lemma is then immediate. 

The base case with atomic formulae and the cases in the induction step with 
-i, A and X are by an easy verification. By way of example, we treat the case 
with ifj = with negative polarity. So if)' occurs with positive polarity. Let 
a be a model and p be an environment such that a \= p -i-iif/. The statements 
below are equivalent: 

• a \= p -i-iV'j 

• a \= p V>', 

• there is a' that agrees with cr, p and ip' such that a' |= u(ip') (by (IH) and 
change of polarity), 

• there is o' that agrees with a, p and ip' such that a' \= -iu(-iift') (by definition 
of u). 

Let us treat the remaining cases. 
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Case 1: ip — ipiUtp2 with positive polarity. 

Since 4> belongs to the flat fragment, we have ipi = u(ipi). Let a be a model and 
p be an environment such that a \= p ip. The statements below are equivalent: 

• a\= p i(j, 

• there is i > such that a 1 \= p ip2 and for every j < i, cr- 7 \= p ifti, 

• there is cr' that agrees with cr, p and tp2 such that [a') 1 \= u(ip 2 ) and for 
every j < i, (a'Y \= u(ipi) (by (IH), ipi = u(ipi) and, a and cr' agree on 
flexible variables of ^i), 

• there is a' that agrees with a, p and i/j such that cr' |= u(ipi)\Ju(ip2) (ipi has 
no free rigid variable). 

Case 2: ip = ipiUfa with negative polarity. 

Since <fi belongs to the flat fragment, we have vp 2 = u(i^ 2 ) and both tf)i and ^ 2 
have negative polarity. Let it be a model and p be an environment such that 
a \= p vp. The statements below are equivalent: 

• o- \= p -iV, 

• either there is j > such that a j \= p ->ipi and for every j < i, a 1 \= p ->ip2 or 
for every i > 0, a % \= p ~<tp2, 

• either there is cr' that agrees with a, p and ipi such that there is j > 
such that (cr')- 7 \= ->u{^\) and for every j < i, (a') 1 \= ->u{^2) (by (IH) and 
vp2 = u{ip2)) or there is a' that agrees with a, p and ip 2 such that for every 
i > o, (a'Y |= M^) (by (IH)), 

• there is cr' that agrees with a, p and -0iU^ 2 such that either there is j > 
such that (cr')- 7 \= -iu(?fii) and for every j < i, (a') 1 \= ~<u(ip2) or for every 
i > 0, (a')* |= -iu(ip2) (i>2 has no free rigid variables), 

• there is cr' that agrees with cr, p and -0iU^ 2 such that cr' \= -i(m(^i)Um(^ 2 ))- 

Case 5: V =|j / =x« :E 

Let cr be a model and p be an environment for and ip. The statements 
below are equivalent: 

• cr |= p S^p 1p, 

• °" l=p[j/^ CT (n)(a;)] ^ 

• there is cr' that agrees with cr, p[y i— > cr(n)(x)] and -0' such that cr' |= s^, it(V/) 

(by(lH)), ' ^ 

• there is cr' that agrees with cr, p[y ^ cr(?7,)(a;)] and if)' such that cr' |= u(i/j') 
and cr' h G(2/ ncw = Xy ncw ) A y ncw = X n z (y free in if/). 

• there is a' that agrees with cr, p and -0 such that a' \= u(ip') A G(y Ilcw = 
Xy ncw ) A ?/ ncw = X n x (-0 has less free rigid variable than if/). □ 

Corollary 3 For every constraint system T> which contains equality, decid- 
ability of CLTL{V) implies decidability of the fiat fragment of CLTL^V). 

Since CLTL((Z, <,=)), CLTL((N, <,=)) and CLTL((R, <,=)) are PSpace- 
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complete [11], we can establish the following corollary. 

Corollary 4 Flat fragments of each of CLTL l ((Z, <,=}), CLTL l ((N, <, =)) , 
CLTL l ({R, <,=)), and CLTL l (V) with V finite are PSPACE-complete. 

Corollary 4 can be also adapted to the PSPACE-complete constrained version 
of LTL introduced in [29]. 



4 Undecidability results 

In this section, we shall prove that, if the domain is infinite, and if we do not 
restrict to flat formulae, the satisfiability problem for CLTL^(D) is undecidable 
even if we only have the equality predicate. More precisely, Theorem 3 below 
is a stronger result, stating that satisfiability is S]-hard, even restricted to 
formulae with 1 flexible variable and at most 2 rigid variables. (An exposition 
of the analytical hierarchy can be found in [30].) A corollary of £]-hardness 
is that the logic cannot be recursively axiomatised. 

The following proposition complements the main result in this section, and 
states that, for countable and computable constraint systems V, satisfiability 
for CLTL>(£>) is in £]. Hence, for a countably infinite domain, the problem 
in Theorem 3 is E {-complete. 

Proposition 6 If D is countable, and (Ri)iei is a countable family of com- 
putable relations on D, then the satisfiability problem for CLTL^(D, (Ri) ieI ) 
is in £]. 

Proof. Let be a formula of CLTL^(D, (Rj) ie i). We can assume FleVarSet = 
FleVars(0) and RigVarSet = RigVars(0). Let n = | FleVarSet |, m = |RigVarSet|. 
Any model a : N — > (FleVarSet — > D) can be encoded by functions /i, . . . , f n : 
N — > N, and any environment p : RigVarSet — > D as an m-tuple a 1: . . . , a m : N. 
A first-order predicate on f\, f n and a±, a m which expresses that 
a \= p <p is routine to construct by structural recursion on 0. We conclude that 
satisfiability of <fi can be expressed by a S]-sentence. □ 

We shall prove that the satisfiability problem for a fragment of CLTL^(D, =) 
is E]-hard by reducing from the Recurrence Problem for nondeterministic 
2-counter machines, which was shown to be S]-hard in [12, Section 4.1]. 

A nondeterministic 2-counter machine M consists of two counters C\ and C 2 , 
and a sequence of n > 1 instructions, each of which may increment or decre- 
ment one of the counters, or jump conditionally upon of the counters being 
zero. After the execution of a non-jump instruction, M proceeds nondetermin- 
istically to one of two specified instructions. Therefore, the I th instruction is 
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written as one of the following: 

I: Ci-.= Ci + 1; goto V or goto I" 
I : Cj := Cj — 1; goto V or goto I" 
I : if Cj = then goto /' else goto i" 

We represent the configurations of M by triples (Z,Ci,c 2 ), where 1 < / < n, 
Ci > 0, and c 2 > are the current values of the location counter and the two 
counters C\ and C 2 , respectively. The consecution relation on configurations 
is defined in the obvious way, where decrementing yields 0. A computation 
of M is an cj-sequence of related configurations, starting with the initial con- 
figuration (1, 0, 0). The computation is recurring if it contains infinitely many 
configurations with the value of the location counter being 1. 

The Recurrence Problem is to decide, given a nondeterministic 2-counter ma- 
chine M, whether M has a recurring computation. This problem is Sj-hard. 

Theorem 3 If D is infinite, then the satisfiability problem for CLTL^(D,=) 
with |FleVarSet| = 1 and |RigVarSet| = 2 is Y\-hard. 

Proof. Suppose M is a nondeterministic 2-counter machine. We construct a 
formula <p M of CLTL^D, =) such that |FleVars(0)| = 1, |RigVars(»| = 2, 
and <pM is satisfiable iff M has a recurring computation. The basis of the 
construction is an encoding of computations of nondeterministic 2-counter 
machines by models of CLTL^D, =) with one flexible variable, i.e. by u- 
sequences of elements of D. As in the proofs of [12, Theorems 6 and 7], which 
show Sj-hardness of satisfiability of formulae of TPTL extended with either 
multiplication by 2 or dense time, we shall encode the value of a counter by a 
sequence of that length. However, much further work is needed in this proof 
because the only operation we have on elements of D is equality. 

Let n be the number of instructions in M. We encode a configuration (/, c±, c 2 ) 
by a sequence of elements of D of the form 

ddd'd < __d!__.f 1 1 . . . fleee'e'ifl . . . f C2 

n 

where: 

(i) the only two pairs of equal consecutive elements are dd and ee, and also f% 
is distinct from the first element in the encoding of the next configuration, 

(ii) e + e", 

(iii) after the first 4 elements, there is a sequence of n elements, and only the 
/ th equals d 1 ', 
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d = f start d A X 2 x = X 4 x A X n+4 (start c A X 4 (start dVc )) 
b giob ^ f G ( startd ^ A startc ^ ^,2) 

in dd!d...d! ... any two consecutive values are distinct 



/n+3 \ 

r,^ (AXV/ X' ; ,j 

in ...d! ... exactly one value equals d' 



(l-l n 
j=l j=m 

/j.-./cj mutually distinct 

AX n+4 (^ !S 'U startej 

fl—fcn mutually distinct 
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^= (^A X l x ^ X m xJ A X 4 (^* si U start d ) 
^dist ^ f -, s tart d veA [ y=x X((-istart dVe Ai^ y)U start dVc ) 



Fig. 1. 

(iv) f{, . . . , p are mutually distinct, for each i. 

We write start dVc to denote the formula x = X : x stating that the current state 
is an occurrence of either dd or ee. We write start d [resp. start e ] to denote the 
formula start dVc Ax = X 3 x [resp. start dVc Ax ^ X 3 x] stating the current state 
is a first occurrence of d [resp. e] in dd [ee]. 

The formula 0m is defined as a conjunction 

0f*A0f 6 A0 M A---A0 M A0 reC 

where the first two conjuncts state that the model is a concatenation of con- 
figuration encodings which satisfy (i)-(iv) above, and that it begins with an 
encoding of the initial configuration (1,0,0). Their definitions are given in 
Figure 1. 

For any I G {1, . . . , n}, <f> l M states that, whenever the model contains an encod- 
ing of a configuration (Z,ci,c 2 ), then the next encoding is of a configuration 
which is obtained by executing the Z th instruction. 

Consider the most complex case: I : Ci := C<i — 1; goto V or goto I". The 
formula <p l M needs to state that, whenever the location counter is /, C\ remains 
the same, Ci either remains or is decremented, and the next value of the 
location counter is either /' or I": 
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0<C2<1 and the next value of C2 equals 

x 2 dec d ^ (( x = X 1 ^ V X 1 ^ = X 2 x) A (^start c U(start c A X 4 (x = X 1 ^))) V 

C*2>1 

Hi = X 1 iVX 1 i = X 2 i)A 

(A) 

/ * V 

(l y=x -istart c U(start c A X 4 (-istart d A x = y))) A 

(B) 

((-iX 2 start dV c A (l y=x X [ y , =x (-istart c U(start c A 
X\x ^ y\J(x = yAX 1 x = 2/))))))UX 2 start dVc ) A 

(C) 

/ V 

((X 2 -istart d )U(X 2 start d A [ y=x -istart e U(start c A X 4 (x ^ y\J 
(x = y A -istart d A X 2 start d ))))) 

Fig. 2. 

<P 1 M d = f G((start d A X 2 x = X l+3 x) 

X n+4 (Xe 9 A (^start dVc U(start c A 
x4 (xL A (^start dVc U(start d A 
(X 2 x = X*' +3 x V X 2 x = X*" +3 x)))))))) 

The formula Xdec given in Figure 2 specifies that, if the current value of C2 
is either or 1, then the next value of C2 is 0; and if neither, then the next 
encoding of the value of C 2 equals the current encoding with the last element 
removed. 

The latter is specified as the following conjunction: 

(A) the first element of the current encoding equals the first element of the 
next encoding, and 

(B) for any consecutive pair y and y' of elements in the current encoding such 
that y' is not the last element, the first occurence of y in the next encoding 
is followed by y', and 

(C) the element before the last in the current encoding is the last element in 
the next encoding. 

The formula xlqi which specifies that the value of C\ remains the same, is 
defined similarly. 

Definitions of <p l M for other forms of instruction use the same machinery. For 
incrementing a counter, it is not necessary to specify that the additional ele- 
ment in the next encoding is distinct from the rest, because that is ensured 
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by </>f b . 

Finally, (p rec = GF(startd A ~X. 2 x = X 4 x) states that the model encodes a 
recurring computation. □ 

By Propositions 2 and 3, we have that Theorem 3 can be strengthened by 
restricting to the fragment of CLTL^(D, =) with |FleVarSet| = 1, |RigVarSet| = 
2 and such that the flexible variable occurs only in freeze quantifiers of the 
form l y=x . 

By adapting the proof of Theorem 3, the variant of CLTL^(D, =) over models 
which are finite words is also undecidable, more precisely X'J-hard through en- 
coding the Halting Problem for 2-counter machines. This should be compared 
with the undecidability of universality of 1-way nondeterministic register au- 
tomata [31, Theorem 5.1]. 

The proof of Theorem 3 can also be modified to yield, for CLTL^(D, =) aug- 
mented with the past-time operator U _1 ('since') but restricted to 1 rigid 
variable, E]-hardness over infinite models and E^-hardness over finite models. 
The sets of values from D which are used to encode counter values do not 
have to be enumerated in the same order for consecutive configurations, and 
simpler logical formulae suffice. These results are related to the undecidability 
of emptiness of 2- way deterministic register automata: see [32, Section 7], [31, 
Theorem 5.3]. 



5 Related work 

In this section, we compare the logic CLTL^N, =) and the results in this pa- 
per with a number of related works in the literature. We show that there is a 
surprising variety of formalisms which involve the freeze quantifier or related 
constructs, revealing links among several works which appear unconnected. 
This confirms that the binding mechanism of the freeze quantifier is funda- 
mental. 



LTL over concrete domains. Complexity results for Constraint LTL over 
concrete domains can be found in [16,17,11,18,14] (see also related results for 
description logics over concrete domains in [33]). Decidability and complexity 
issues for LTL over Presburger constraints have been studied for instance 
in [34,22,10,14]. Most decision procedures in the above-mentioned works are 
automata-based whereas undecidability proofs often rely on an easy encoding 
of the Halting Problem for 2-counter machines. 
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LTL over integer periodicity constraints augmented with the freeze quantifier 
is shown ExpSPACE-complete [14] but CLTL(N, <, =) with past-time operator 
F _1 and j is undecidable [14]. 

Real-time logics. Similar issues for real-time and modal logics equipped 
with the freeze quantifier have been considered in [12,35,13,36]. In spite of its 
rich language of constraints, TPTL model-checking is decidable [12] (discrete 
version). In this case, decidability is due to the subtle combination of the 
constraint system and the semantical restrictions (see also versions of metric 
temporal logics in [37,38]). 

The class of logics CLTL^(D) defined in this paper is quite general and it is 
not difficult to show that discrete-time TPTL [12] is exactly the fragment of 
CLTL^P) where 

• D — N and the only flexible variable is t (time), 

• the predicates of V are 

(x < c) cgZ , (x < y + c) c& , (x = d c) C;deN , (x= d y + c) CjdeN 

where = d is equality modulo d, and 

• the formulae are of the form G(t < X£) A GF(t < Xt) A <f> with any use of 
the freeze quantifier being of the form l x=t . 

In [12, Theorem 5], X}-hardness of satisfiability for TPTL without the mono- 
tonicity condition on time sequences is established. By Propositions 2 and 3, 
CLTL^N, =) restricted to one flexible variable can be seen as the fragment of 
TPTL where there are no atomic propositions, and where the only operation 
on time is equality. Moreover, it is straightforward to see that Theorem 3 in 
this paper still holds when satisfiability is restricted to models which contain 
infinitely many values, which is equivalent to the progress condition when the 
domain is N. Therefore, a corollary of Theorem 3 is the following strengthening 
of [12, Theorem 5]: satisfiability for TPTL without the monotonicity condition 
remains E]-complete even without atomic propositions and with only equality 
constraints. (The proof of [12, Theorem 5] uses arithmetic on time values.) 

Hybrid, navigation, spatio-temporal, and similar logics. Hybrid log- 
ics (see e.g. [39,40,41]) contain a variable-binding mechanism similar to the 
freeze quantifier: [ x <f>(x) holds true iff (j)(x) holds true when the propositional 
variable x is interpreted as a singleton containing the current state. The dow- 
narrow binder in such hybrid logics records the value of the current state. 

Similarly, in temporal logic with forgettable past [26], the effect of the Now 
operator is that the origin of time takes the value of the current state: the 
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states before the current state are forgotten. Identical mechanisms are used in 
navigation logics for object structures, see e.g. [42] and in half-order dynamic 
temporal logics interpreted over traces from sequence diagrams [43]. 

In the context of spatio-temporal logics, Wolter and Zakharyaschev [16, Sec- 
tion 7] advocate the need to consider operators expressing constraints of 
the form f\ i€N R(x,X. l y) and VieN R(x, X l y). They are simple to express in 
CLTL^(D), as [ x '=x GR(x',y) and l x >= x FR(x',y). These formulae are in the 
flat fragment: see Section 3.2. 



Quantified propositional temporal logic with repeating. The models 
of Quantified Propositional Temporal Logic with Repeating (also known as 
RQPTL) introduced in [44] can be encoded by CLTL^N, =) formulae, unlike 
the second-order quantification in the language. Such models are pairs of maps 
(/i : N — > S, 7r : S — > 2 AP ) where S is an arbitrary set (of states). A possi- 
ble encoding is by treating /i as the interpretation of a distinguished flexible 
variable, and using the freeze quantifier to specify that, whenever fj,(i) = 
any propositional variable has the same values at time points i and j. (See 
Section 2.4 regarding encodings of propositional variables.) 

On the other hand, the variant logic RHLTL™ [44, Section 4] can be shown 
equivalent to CLTL^N, =) with one flexible variable and n rigid variables, 
except that RHLTL™ does not have the U operator but has F and the past- 
time operators F _1 and X -1 . Theorem 3 in this paper and Sj-hardness of 
RHLTL 2 [44, Corollary 1] are therefore complementary results. 



Predicate A-abstraction. A number of decidability and undecidability re- 
sults for half-order modal logics (to be compared with [35]) are presented 
in [45]. The half-order aspect of such logics is due to a predicate A-abstraction 
mechanism, which solves the famous problem of interpreting constants in 
modal logic. Even though this construct is essentially the same as the freeze 
quantifier, apparently there have been no cross-references between the litera- 
ture dealing with predicate A-abstraction (e.g. [45,15]) and that dealing with 
the freeze quantifier (e.g. [35,12,14,1]). However, several undecidability results 
for LTL-like logics with predicate A-abstraction have recently been obtained 
in [15], independently and concurrently with [1]. The most related to Theo- 
rem 3 in this paper are Sj-hardness results for the following logics: 

(I) LTLa= with temporal operators X and U, and with 3 rigid variables; 

(II) LTLa with temporal operators X and U, and with countably infinitely 
many unary predicate symbols (but no equality). 
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Remarkably, LTLa= is essentially the same as CLTLr(N, =). The proofs of 
(I) in [15] and of Theorem 3 above reduce from the same £]-hard problem. 
However, the encodings are different, enabling Theorem 3 to be sharper by 
restricting to 1 flexible and 2 rigid variables. 

An interesting discussion of applications to dynamic systems with resources, 
like communication protocols for mobile agents, can also be found in [15]. 



Monodic first-order temporal logics. Since freeze quantification is first- 
order quantification over a singleton set, the freeze quantifier can be expressed 
in first-order temporal logics [46,47,48,49]. Indeed, CLTL^N, =) satisfiability 
can be reduced to first-order temporal logic TC satisfiability over the linear 
structure (N, <) (the latter logic was introduced in [49, Chapter 11]). To each 
flexible variable x one associates a monadic predicate symbol P x in such a way 
that P x is interpreted as the singleton set containing the value of x. A formula 
of the form l x '=x.x 4> ls then translated to 3x' XP x (x') A <p' where <p' is the 
translation of <fi. The translation is homomorphic for Boolean and temporal 
operators, whereas for instance y = ~X.z with y, z e FleVarSet is translated 
into 3x P y (x) A XP z (x). One needs also to be able to express that at every 
state P x is interpreted by a singleton, which can be encoded by the formula 
G(3z P x (z) A Vz,z'(P x (z) A P x {z') ^z = z')). 

Consider the fragment of CLTL^N, =) with |RigVarSet| = I. It is easy to 
check that its translation is contained in the monodic fragment of TC with 
equality, and with only two individual variables and monadic predicate sym- 
bols. We recall that in the monodic fragment, any temporal subformula (i.e. 
whose outermost construct is a temporal operator) must have at most one free 
individual variable. Even though monodic TC over (N, <) is decidable [50], 
its extension with equality is not [47], even with the above restrictions [46]. 

Logics and automata for data languages. In [51,52], data languages are 
defined as sets of finite data words in (S x D)* where X is a finite alphabet 
and D is an infinite domain (generalising the concept of timed languages), 
and automata which recognise data languages are introduced. The latter are 
related to register and pebble automata for strings over infinite alphabets 
(e.g. [31]). 

First-order logic over finite data word models is considered in [53], with mo- 
tivations stemming from query languages for semistructured data. More pre- 
cisely, the carrier of a model is the set of positions in a data word, there are 
no function symbols, the unary predicates correspond to elements of S, and 
there are binary predicates <, +1, as well as ~ which is interpreted as equality 
of elements of D at given positions. FO fe (~, <,+l) denotes such a logic with 
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k variables. The main result of [53] is that satisfiability of F0 2 (~, <,+l) is 
decidable, by a doubly exponential-time reduction to nonemptiness of multi- 
counter automata. (The latter problem is decidable, but there is no known 
elementary upper bound.) 

The following variant of CLTL^(.D, =) has models which are words over E x D: 
there is one flexible variable x which takes values in D, plus one flexible 
variable / which takes values in E and on which freeze quantification cannot 
be used, but to which unary predicates P a for equality testing with a G £ 
can be applied. Interestingly, that logic with infinite D and 1 rigid variable 
is incomparable with F0 2 (~, <,+l). In one direction, F0 2 (~, <,+l) cannot 
express the U operator, and also not formulae of the form [ y = x 4> where y 
occurs in (p under two or more temporal operators. In the other direction, 
F0 2 (~, <, +1) can express past-time operators such as F -1 . 



6 Conclusion 

We have shown that adding the freeze quantifier to CLTL('D) leads to undecid- 
ability as soon as the underlying domain is infinite and the equality predicate 
is part of T>. As illustrated in the paper, in most related work dealing with un- 
decidable logics having a binding mechanism similar to freeze quantification, 
either past-time operators can be encoded or constraints richer than equality 
are available. 

The logic CLTL^("D) is ExpSPACE-complete for most of finite domains T>. 
In order to design a specification language over infinite domains with LTL 
temporal operators and the freeze quantifier that admits a decidable model- 
checking problem, syntactic restrictions could be a reasonable solution. The 
existence of a logarithmic-space reduction from the flat fragment of CLTL^(D) 
into CLTL('D) when the equality predicate is present leads us to believe that 
the flatness criterion is most relevant here. 

As we have seen, the following fragments/variants of CLTL^D, =) with infi- 
nite D and |FleVarSet| = 1 are Sj-hard: 

• the temporal operators are X and U, and |RigVarSet| = 2; 

• the temporal operators are X, U and U _1 , and |RigVarSet| = 1; 

• the temporal operators are X, X -1 , F and F _1 , and |RigVarSet| = 2; 

It is open whether the intersections of these fragments are decidable. 
Other open problems include: 

• decidability in the presence of semantic restrictions such as reversal bound- 
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edness [5] of a flexible variable; 
• decidability over infinite domains without equality (and where equality is 
not definable by other predicates), such as ({0, 1}*, <) with < being either 
the strict prefix relation or the strict subword relation. 
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